Overview

overview

10

Static

static

3

024d1e75ca...89.dll

windows7-x64

10

024d1e75ca...89.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll

  • Size

    523KB

  • MD5

    b639dd87bf7b264f6f9abf7a539cc820

  • SHA1

    bbede20621c9c3c2f9ae12951161510898943576

  • SHA256

    024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689

  • SHA512

    5c610963212ee97bc6f54a146e46f7066d589583bc2a7e5bafbbdb024394f06d0d63191bef84ad117565e0290eb60c3ef41939965b0e855104c306f9c2d8a78e

  • SSDEEP

    6144:jVgB84PzDjnZtI9l1RZWhprVUGpZAo6j1/iFi0MWFVIuSPsLc5S+wT7g7A/o:jGBLDjkFRZUVBDAo4qk0MlY2M87A/o

Score
10/10
trickbotchil43bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil43

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 3 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2696-4-0x0000000010000000-0x000000001002D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2696-0-0x00000000004F0000-0x000000000051E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2696-8-0x0000000002170000-0x00000000021A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2696-7-0x0000000000230000-0x000000000025B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2696-9-0x0000000000540000-0x0000000000543000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2696-11-0x0000000002170000-0x00000000021A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2696-12-0x0000000000540000-0x0000000000543000-memory.dmp
    Filesize

    12KB

    Download
  • memory/3024-10-0x0000000000060000-0x0000000000080000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3024-13-0x0000000000060000-0x0000000000080000-memory.dmp
    Filesize

    128KB

    Download